LeakedIn: Hacker Posts 6.4 Million LinkedIn Passwords

Below:

Next story in Security

The encrypted LinkedIn passwords of more than 6.4 million users
have hit the Web after a reported hack, an incident that comes on
the heels of another slip-up involving the company's insecure
mobile app.

The file containing 6,458,020 LinkedIn passwords appeared on a
Russian Web forum; researchers from the security firm Sophos confirmed that
the file does contain user passwords of Sophos staffers.
(Scroll to the end of this story to learn how to check for
your own password.)

All of the passwords are encrypted, but the encryption algorithm
used is relatively weak and it appears thousands of passwords
have already been cracked.

No associated email addresses appear in the file, but as Sophos'
Graham Cluley says, "It is reasonable to assume that such
information may be in the hands of the criminals."

"Members that have accounts associated with the compromised
passwords will notice that their LinkedIn account password is no
longer valid. These members will also receive an email from
LinkedIn with instructions on how to reset their passwords."

Silveira noted that everyone who updates his or her password will
benefit from the "enhanced security we just recently put in
place, which includes hashing and salting of our current password
databases."

Security experts might argue that "salting," or inserting random
data into, password hashes is something that should be done
before, not after, a huge data breach. Had LinkedIn salted its
password-encryption algorithm before today, there likely wouldn't
be a problem.

In a Twitter post this morning (June 6) from its @LinkedIn feed, the company had
written, "Our team is currently looking into reports of stolen
passwords. Stay tuned for more."

In a tweet sent two hours later, LinkedIn wrote, "Our team
continues to investigate, but at this time, we're still unable
to confirm that any security breach has occured."

Security professionals took to Twitter and to blogs to criticize
LinkedIn's response.

Security consultant Robert David Graham wrote on his Errata Security blog, "I can
confirm this hack is real: the password I use for LinkedIn is
in that list. I use that password NOWHERE ELSE. Furthermore,
it's long/complex enough that I'm confident NOBODY ELSE uses
the same password."

"I must agree with the general consensus that LinkedIn is
shamefully negligent," tweeted City College of San Francisco
computer-security professor Sam Bowne. "It's easy to confirm
the dump is real."

"By all indications it doesn't appear LinkedIn has contained the
compromised yet, so everyone should be aware that they may have
to change their passwords multiple times," Carey told
SecurityNewsDaily. "You should still go ahead and change it
straight away, but you may have to change it for a second time if
it turns out the attackers are still entrenched in LinkedIn's
systems."

It's also important to be aware of suspicious emails in the next
few days that claim to be from LinkedIn.
Phishing scams will invariably pop up in an attempt to
trick you into entering a new password on a site that looks like
LinkedIn, but is actually a clever spoof. When you change your
LinkedIn login details, do it directly on LinkedIn's site and not
from a link in an email.

Unfortunately for LinkedIn, the password leak is not the least of
its problems.

LinkedIn was forced today to update its mobile app to fix a flaw
that transmitted the details of users' calendar entries —
including meeting locations, participants, meeting notes and
passwords — back to LinkedIn's servers without their knowledge.

The update came after researchers from Israel-based Skycure Security uncovered the flaw,
prompting LinkedIn to take quick action to fix the problem.

In a blog post today, LinkedIn's Joff Redfern addressed the
issue, explaining that the calendar-sharing service is, and will
continue to be, an opt-in feature users can turn off at any time.

The information is sent over a secure SSL connection, Redfern
said, and none of it is stored on LinkedIn's servers or shared
"for purposes other than matching it with relevant LinkedIn
profiles."

The changes have been made on Android, and will be available
shortly for Apple devices.

About the calendar feature in question, Redfern stressed, "It's a
great feature. We hope you try it out. If at any time you decide
it's not for you, then you can always go to the mobile apps
setting page to turn [it] off."

Checking your LinkedIn password

UPDATE: The file containing the LinkedIn
passwords has been removed from the Yandex site as of 4:30 p.m.
ET Wednesday.

However, the file has been duplicated at several other locations
around the Web, and a website has gone up at http://leakedin.org that offers to check
your password against the list. The site's experiencing heavy
traffic and it make take several attempts to get through.

If you'd like to check whether your password is on the list of
stolen passwords, you can download the huge 118-megabyte file
from the Russian Yandex site here. You'll probably need a tough text
editor to open the whole thing; alternately, try Microsoft
Word.

Then you'll need to search for your LinkedIn password's SHA-1
hash. Plug your password into the online SHA-1 hash generator at
http://www.sha1-online.com. Copy the
output and search for it in the file.

If you don't get a result right away, clip the first five digits
from the hash and search again. Whoever uploaded the LinkedIn
password list replaced the first five digits of every hash that's
already been hacked with five zeroes.

For example, the hash for "password" is
"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8." On the list, it
appears as "000001e4c9b93f3f0682250b6cf8331b7ee68fd8," indicating
that it's already been cracked.

If you do both and find nothing, your LinkedIn password isn't on
the list. But you should change it anyway.